new_libpcap

来自「基于TCP/IP协议的网络入侵检测系统是在Linux平台下」· 代码 · 共 24 行

                             ====================
                                 libnids-1.16
                             ====================

	The following applies to Linux only.
	Linux 2.0.x kernels introduces sockets of family PF_PACKET. Recent
Linux distributions, like RedHat >=6.1, are shipped with libpcap, which uses
PF_PACKET sockets. New function, pcap_open_live_new() is introduced, which
allows to gather packets from all devices, including loopback (!).
Unfortunately, libnids <=1.13 didn't work with this new libpcap (in my
opinion, it's the fault of the latter). This is fixed (well, worked around) 
in 1.14. 
	In order to capture packets from all devices, one should set
nids_params.device to "all". If nids_params.promisc is non-zero, all
interfaces will be set to promiscuous mode.
	A certain problem may arise, if the machine routes packets among its
interfaces. New libpcap will pass to userspace a copy of a packet per each
interface this packet travels through. This is no problem for libnids TCP
reassembly, as it deals perfectly with duplicate packets - tcp callback
functions will not notice anything unusuall. However, UDP and IP callbacks
will receive duplicate packets. This behaviour is blocked by libnids in case 
of loopback device (single copies of packets will be received).